Corrupt Certificate information on local system

From: Allan S (nullconnect_at_gmail.com)
Date: 12/14/04

  • Next message: Russell, Dan: "RE: Secondary Storage Device Policy" 
    Date: Tue, 14 Dec 2004 11:23:34 -0700
To: focus-ms@securityfocus.com

    I was hoping someone here could help me with an issue that's happening
    here at work.

    I have a user that is attempting to use a certificate card to
    authenticate to the Windows domain. On her primary machine it gives
    the generic "credentials not verified" error message.

    Other people can log in that machine with their cards, and the user
    can take her card and log in to different machines with no problem.

    We use roaming profiles but deleting and recreating the profile did
    not correct the issue.

    Deleting and readding her certs to the local store did not correct the
    issue either. And here's the wierd thing - there are 3 certs on the
    card, but a 4th cert always shows up from somewhere.

    As a test I had the user try a digitally signed and encrypted email to
    herself. The signature came back as invalid and details on the problem
    showed that the cert was using an old email address of the users.

    Checking all of the certs on the card shows that they are indeed
    displaying the proper (newer) email address.

    As a hail mary pass, I've cleaned out both the user's C:\Documents and
    Settings\user\Application Data\Microsoft\SystemCertificates\* and
    C:\Documents and Settings\user\Application Data\Microsoft\crypto\*
    profile keys, to no luck.

    This has happened often enough around here that standard procudure has
    been established - and that's to reload the operating system. But it
    happens often enough that it would be nice to have a targetted
    solution to actually fix the problem.

    Obviously the problem lies within the local harddrive - either a
    machine registry setting not letting go, or a bad cert or CRL stored
    somewhere outside of the profile area.

    Does anyone have any suggestions I might try or ideas on where I might look?

    Thanks.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Russell, Dan: "RE: Secondary Storage Device Policy"

    Relevant Pages

    • Re: Single Sign-on authentication using Smart Cards
      ... I do have the Certs on the card but when I insert it during the ... > question is how do you tie in domain logon information with the Smart ... you do it from a "smart card enrollment" station. ...
      (microsoft.public.win2000.security)
    • Re: Certificate issue on Exchange ActiveSync setup (WM6) - UPDATE
      ... I removed the micro SD card, reformatted it and copied the Certs back onto it. ... It seems to have fixed the situation, my PDA is syncing with our Exchange Server as I type this. ...
      (microsoft.public.pocketpc.activesync)
    • Cannot enumerate video sources on osprey 100 capture card
      ... purpose of controlling an encoder trough a web browser. ... capture device, apply a profile from the profile collection, and ... Using this code from the Windows Media SDK doc on MSDN. ... // Enumerate the type of inputs supported by the TV-tuner capture card. ...
      (microsoft.public.windowsmedia.sdk)
    • partition driver configuration problem
      ... I am having difficulty formatting/partitioning a CompactFlash card ... The external card is the one I'm ... up using the standard mspart.dll partition driver, ... (that should be used by default with the PCMCIA profile) ...
      (microsoft.public.windowsce.platbuilder)
    • Re: How to know if someone deleted you from their MSN?
      ... I know when someone has a MSN space and i right click their name and ... their space opens in a new window. ... Contact Card", there'll be a link to their space (by clicking on the title ... don't have a link to that space (unless i go to "veiw profile")? ...
      (microsoft.public.windowsxp.messenger)